Changeset 217005 in webkit

Timestamp:

May 17, 2017 2:53:01 PM (7 years ago)

Author:

pvollan@apple.com

Message:

Crash under WebCore::AudioSourceProviderAVFObjC::process().
​https://bugs.webkit.org/show_bug.cgi?id=172101
rdar://problem/27446589

Reviewed by Jer Noble.

Calling the function MTAudioProcessingTapGetSourceAudio when the value of the
MTAudioProcessingTapRef parameter is null, will lead to a null dereference.
This can for example happen if MediaPlayerPrivateAVFoundationObjC::cancelLoad()
is called on the main thread while MediaToolbox is calling the
WebCore::AudioSourceProviderAVFObjC::processCallback function on a secondary
thread. MediaPlayerPrivateAVFoundationObjC::cancelLoad() will then call
AudioSourceProviderAVFObjC::setPlayerItem(nullptr), which will call
AudioSourceProviderAVFObjC::destroyMix(), which will set m_tap to null. When
AudioSourceProviderAVFObjC::process is called on the secondary thread, using
the m_tap member in the call to MTAudioProcessingTapGetSourceAudio, the process
will crash.

No new tests since I am not able to reproduce.

• platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm:

(WebCore::AudioSourceProviderAVFObjC::initCallback):
(WebCore::AudioSourceProviderAVFObjC::process):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm (modified) (2 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-05-17  Per Arne Vollan  <pvollan@apple.com>
+
+        Crash under WebCore::AudioSourceProviderAVFObjC::process().
+        https://bugs.webkit.org/show_bug.cgi?id=172101
+        rdar://problem/27446589
+
+        Reviewed by Jer Noble.
+
+        Calling the function MTAudioProcessingTapGetSourceAudio when the value of the
+        MTAudioProcessingTapRef parameter is null, will lead to a null dereference.
+        This can for example happen if MediaPlayerPrivateAVFoundationObjC::cancelLoad()
+        is called on the main thread while MediaToolbox is calling the
+        WebCore::AudioSourceProviderAVFObjC::processCallback function on a secondary
+        thread. MediaPlayerPrivateAVFoundationObjC::cancelLoad() will then call
+        AudioSourceProviderAVFObjC::setPlayerItem(nullptr), which will call
+        AudioSourceProviderAVFObjC::destroyMix(), which will set m_tap to null. When
+        AudioSourceProviderAVFObjC::process is called on the secondary thread, using
+        the m_tap member in the call to MTAudioProcessingTapGetSourceAudio, the process
+        will crash.
+
+        No new tests since I am not able to reproduce.
+
+        * platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm:
+        (WebCore::AudioSourceProviderAVFObjC::initCallback):
+        (WebCore::AudioSourceProviderAVFObjC::process):
+
 2017-05-17  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebCore/platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm

@@ -238 +238 @@
 void AudioSourceProviderAVFObjC::initCallback(MTAudioProcessingTapRef tap, void* clientInfo, void** tapStorageOut)
 {
+    ASSERT(tap);
     AudioSourceProviderAVFObjC* _this = static_cast<AudioSourceProviderAVFObjC*>(clientInfo);
     _this->m_tap = tap;
@@ -360 +361 @@
 {
     UNUSED_PARAM(flags);
+    
+    RetainPtr<MTAudioProcessingTapRef> tap = m_tap;
+    if (!tap)
+        return;
 
     CMItemCount itemCount = 0;
     CMTimeRange rangeOut;
-    OSStatus status = MTAudioProcessingTapGetSourceAudio(m_tap.get(), numberOfFrames, bufferListInOut, flagsOut, &rangeOut, &itemCount);
+    OSStatus status = MTAudioProcessingTapGetSourceAudio(tap.get(), numberOfFrames, bufferListInOut, flagsOut, &rangeOut, &itemCount);
     if (status != noErr || !itemCount)
         return;